[Snort-users] snort not catching any packets

Michael Steele michaels at ...9077...
Fri Apr 26 12:04:34 EDT 2013

This could pose a massive problem enabling all those rules. You might want
to take a look at PulledPork for your rule processing.


Best regards,



WINSNORT.com Management Team Member


****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/>
http://www.snort.org *



From: Robert W [mailto:rwawrig at ...131...] 
Sent: Friday, April 26, 2013 10:47 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] snort not catching any packets


I've found the issue, if anyone is wondering why snort is not capturing
anything even when are no errors and all looks ok.

The rules which I've downloaded from snort.org have most of the alerts
commented within the rule files. After I've enabled all the alerts from
scan.rules, my scans started to get logged by snort.






From: Robert W <rwawrig at ...131... <mailto:rwawrig at ...131...> >
To: "snort-users at lists.sourceforge.net
<mailto:snort-users at lists.sourceforge.net> "
<snort-users at lists.sourceforge.net
<mailto:snort-users at lists.sourceforge.net> > 
Sent: Friday, April 26, 2013 10:31 AM
Subject: [Snort-users] snort not catching any packets




I'm new to snort, so probably I'm missing something obvious..

I'm running snort with output unified2 and barnyard2 which is saving to
mysql, and snorby as front-end.
Snort is not catching anything with only the rules enabled (snort.conf ->
Step #7: Customize your rule set). The "merged.log" unified2 file stays at 0
If I enable decoder and preprocessor event rules (#Step 8) then it starts
catching events, but are coming up as Snort Alert [xxx:y:z]. The alerts are
not mapped to names.


Also barnyard is giving this message:

[Event: 1] with [gid: 120] [sid: 3] [rev: 1] [classification: 2] [priority:
3]    was not found in barnyard2 signature cache, this could lead to display
inconsistency. To prevent this warning, make sure that your sid-msg.map and
gen-msg.map file are up to date with the snort process logging to the spool


I've checked again and again all the conf files and the variables, all point
to the correct sid-msg.map and gen-msg.map. 


Any idea what may be wrong?




Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org  <http://blog.snort.org/> to stay current
on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130426/7dea03f0/attachment.html>

More information about the Snort-users mailing list